Kaspersky Labs report shown to refer to outdated versions of OPC UA implementations demonstrating high iteration speed of Open Source community improvements and the strength of OPC UA security.
Scottsdale, AZ – May 18th, 2018 – The Kaspersky Labs report issued on May 10th, 2018 has garnered a lot of media attention based on its claim of having identified 17 security issues in some OPC UA implementations. A detailed description of the 17 issues can be found at https://opcfoundation.org/security/. The OPC Foundation has and continues to be committed to ensuring the OPC UA standard provides the highest levels of security and as such has reviewed the claims made in the Kaspersky report and found that:
- Eight issues were associated with an OPC Foundation ANSI-C sample server application that was provided with the ANSI-C stack code in GitHub. These issues did not affect the ANSI C stack itself or products based on commercial SDKs. Nevertheless, all issues have been fixed.
- Six issues were associated with the OPC Foundation server enumerator (LDS). These were fixed in 2017 and a CVE was published. These issues were not exploitable remotely.
- Three issues affected some products in the field. Specifically:
a.) One issue was specific to a product from a vendor who published a CVE in 2016;
b.) The second issue is specific to a product from a vendor who is working on a fix and will report it to US ICS CERT as soon as possible;
c.) The third issue affected a legacy .NET stack that was promptly fixed by the OPC Foundation in 2017. OPC users were notified of this issue via a CVE in 2017.
In addition, to alleviate potential confusion the Kaspersky Labs report may have created about the strong security the OPC UA standard offers, the OPC Foundation emphasizes that:
- The OPC UA software eco-system is composed of multiple commercial OPC UA SDK/Toolkit vendors that offer well tested and well documented products.
- The vast majority of OPC UA products are based on these commercial OPC UA SDK/Toolkits and are not affected by the issues with the ANSI-C sample server application published on GitHub.
The OPC Foundation works cooperatively with vendors to have the open source code base tested by external security organizations and have those results incorporated into GitHub.
The broad adoption of OPC UA on a global basis reflects the market’s deep need for secure, open data connectivity and interoperability in manufacturing and beyond. Fortunately, this means that the OPC UA standard and its various open-source implementations are continuously subjected to close scrutiny by many in the large and active OPC UA community; something the OPC Foundation openly welcomes as this only makes the open-source implementations better.
Detailed information on the process for managing security issues can be found at https://opcfoundation.org/security/. The OPC Foundation is committed to addressing all issues as they arise, to working with OPC vendors to ensure that software is patched quickly, and to notifying OPC users about the issues and the fixes. This process of continuous improvement based on open source software is a major reason why OPC UA is so successful in market today. The OPC Foundation will continue to provide its users with the robust and secure foundation that they expect from a key industrial interoperability standard.
About the OPC Foundation:
Since 1996, the OPC Foundation has facilitated the development and adoption of the OPC information exchange standards. As both advocate and custodian of these specifications, the Foundation’s mission is to help industry vendors, end-users, and software developers maintain interoperability in their manufacturing and automation assets. The OPC Foundation is dedicated to providing the best specifications, technology, process and certification to achieve multivendor, multiplatform, secure, reliable interoperability for moving data and information from the embedded world to the enterprise cloud. The Foundation serves over 580 members worldwide in the Industrial Automation, IT, IoT, IIoT, M2M, Industrie 4.0, Building Automation, machine tools, pharmaceutical, petrochemical, and Smart Energy sectors.
For more information
– about the OPC Foundation, please visit https://opcfoundation.org.
– about the OPC UA Security, please visit https://opcfoundation.org/security
Stefan Hoppe, Global Vice President, OPC Foundation